Pretty good thread . Thanks for the chat @lvh.https://twitter.com/lvh/status/1005085612607787009 …
-
-
Replying to @patricktoomey @lvh
No, don't use Ed25519. Use a probabilistic signature scheme that derives nonces from private key, message and some randomness.
2 replies 0 retweets 0 likes -
-
-
Incidentally, I thought the XEdDSA specification was going to be updated to move the random value so that the private key and the message weren't in the same hash block, but https://signal.org/docs/specifications/xeddsa/ … doesn't seem to have that change. I wonder if that is actually the latest version.
1 reply 0 retweets 1 like -
Replying to @BRIAN_____ @XorNinja and
If you care about fault injection attacks then I don't know that any variant of Ed25519 is good to use, because Ed25519 is usually implemented using x-coordinate only multiplication so you can't verify that the result is on the curve. (IDK if that's necessary or sufficient yet.)
2 replies 0 retweets 0 likes -
Replying to @BRIAN_____ @XorNinja and
What? Ed25519 points are encoded using the (affine) y coordinate, and most implementations (including yours) uses the extended coordinates of Hisil, Wong, Carter, and Dawson, not Montgomery x-line arithmetic.
1 reply 0 retweets 2 likes -
Replying to @hdevalence @XorNinja and
Is this the normal way it's done? I thought it was normal to try to implement x25519 and then implement Ed25519 as a hack on top of it. If the hacky way isn't normal then it's probably less of a concern.
1 reply 0 retweets 0 likes -
Replying to @BRIAN_____ @hdevalence and
How would one do that? AFAIK for signing you can't use x-only Montgomery arithmetic because encoded Ed25519 points specify a single point, not a pair of points; and for verification, you can't use a differential addition formula with Shamir's trick.
1 reply 0 retweets 1 like -
Replying to @bmastenbrook @BRIAN_____ and
+1 to what
@bmastenbrook said.@BRIAN_____, people usually convert public keys from X25519 to Ed25519, to use a single key pair for both encryption and signature (I never am comfortable with this idea)2 replies 0 retweets 5 likes
Is it common to need to use the same key for X25519 and Ed25519? My understanding is that some product started out with only X25519 keys and then needed to somehow get Ed25519 keys w/o changing the base design, but is it necessary for anybody other than that one project?
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.